Health Apps, Hackers, and Patient Privacy

Health Apps, Hackers, and Patient Privacy

It’s extremely convenient to have access to your medical history, your doctor’s name, even your home address all at your fingertips. Mobile health apps have positively disrupted the healthcare landscape by empowering patients, reducing cost of care and enhancing patient outcomes. But some health apps on your mobile device may be vulnerable to hackers. Technology experts discussed the risks at a House hearing July 13 with the Energy and Commerce subcommittee.

The fast growth of information technologies in the health care sector has outpaced the industry’s efforts to safeguard them. Research2guidance reports there are 45,000 app publishers responsible for more than 165,000 mobile health apps on the market today. These apps offer a wide range of health care services and clinical information including users’ access to personal and sensitive electronic health records from doctors or hospitals.

Experts say health apps are desirable targets for hackers because of the kind of information they store. A stolen credit card number can be easily cancelled, but medical histories, and the home address and social security numbers that often go into medical records are hard to change and therefore can be sold for a higher price on the black market.

As the market rapidly grows, due to smartphone adoption, one-fifth of mobile devices in the U.S. have a health app installed. A recent study in the Journal of the American Medical Association showed that of the 271 apps studied, 81 percent did not have privacy policies. Of the 19 percent (41 apps) that did have privacy policies, only four specified that they would seek permission before sharing data with third parties.

The act of selling of data collected by the apps isn’t regulated. Health apps also are not subject to privacy and security regulations in the Health Insurance Portability and Accountability Act (HIPPA).

Nicolas Terry, Indiana University Maurer School of Law Professor and a health care technologies regulation expert, called for Federal regulatory agencies to step in and create patient-information protections for the apps. “The most disruptive mobile health apps are those that are patient-facing,” Terry explained, referring to apps where information is directly available to users. Such a direct app-patient relationship lacks any professional buffer between the user and the information, he said. As a result, “are not subject to the HIPAA privacy and security rules leaving patient wellness and health data woefully unprotected.”

“In order to ensure the continuous innovation of these vitally important apps, smart regulation is critical,” said Diane Johnson, director of the Strategic Regulatory at Johnson & Johnson, a multi-national medical products and services provider that offers a number of mHealth apps. “Patient privacy should be well addressed. The selling of this information should be more transparent.”

One expert argued that data saved in individual devices may be safer than data saved in the cloud. Bettina Experton, president of Humetrix, a health app developer based in Del Mar, Ca. said users’ information is “highly secure in personal devices. Your phone can store securely when it’s encrypted. It’s in your hands and under your control.”